1 DE920020049US1 

Autonomic Embedded Computing "Dynamic Storage 

Subsystem Morphing" 

TECHNICAL FIELD OF THE INVENTION 

[0001] The present invention relates to the field of embedded 
processing systems and to autonomic embedded computing 
solutions, and in particular to embedded processing system 
covering a plurality of technical applications, the operative 
functions of which are performed with a respective plurality of 
application-specific Electronic Control Units (ECU) applying 
general loosely coupled multiprocessing. 

BACKGROUND OF THE INVENTION 

[0002] The typical application fields of embedded processing 
systems and Electronic Control Units (ECUs) covered by the 
proposed invention is covering the major embedded systems market 
segments : 

1. Automotive ECUs, Multi-Media Units, Telematics-Units 

2. Industrial Control Units (machinery tool control, 
manufacturing-line control units) 

3. Home- Appliance Electronic Control Units 

4. Commercial and Industrial Diagnostics Equipment tools. 



[0003] The term "embedded system" is to be understood as any 
computing system or computing device that performs at least one 



d) . 2 DE920020049US1 

dedicated function or is designed for use with a specific 
software application, which forms part of any larger technical 
context "embedding" or surrounding said system, i.e., any 
technical unit, technical device, technical system, technical 
plant, as e.g. a car, an aircraft, an undus trial production 
line, etc.. As the electronic systems built-in (embedded) into 
modern automobiles are characterized by significant rates of 
growth, the present invention is of significant value of this 
emerging market, directs a specific focus thereto, and is 
defined from prior art of this application field next below. 

[0004] In the most recent years, the embedded electronics of 
automobiles increased dramatically. Due to this increase of the 
relevance of the embedded electronics of modern automobiles, the 
invention is advantageous to this industry sector. The 
aggregated value of electronics installed in today's high-end 
vehicle is already representing a value of 20% to 3 0% of the 
entire vehicle. This change in the 'nature' of today's 
automobiles is encountering various consequences. 

[0005] Previously - typical to the mechanical nature of 
automobiles - the potential vehicle defects were normally 
dominated by mechanical wear out and associated malfunctions. 
Due to the described increase of electronics complexity and 
electronic component volume - the nature of vehicle failures is 
changing. As documented in vehicle breakdown statistics, the 
vehicle defects throughout the vehicle lifecycle is already 
dominated by electronic system failures. 

[0006] Thus, in order to meet future requirements of this 
industry sector, the general requirements particularly relevant 
for future automotive embedded systems are the following: 
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1. Improved electronics reliability, 

2. Cost effectiveness of the electronic components, 

3. Fault tolerance for all safety related electronic systems 
and mechanical systems, 

4. Autonomic system behavior for the major vehicle 
electronic subsystems, 

5. Advanced diagnostic and maintenance capabilities, 

6. System ' upgrade' and EC change capability (embedded 
software and firmware update) . 

[0007] Before discussing the disadvantages of prior art 
vehicle embedded systems, their basic structure and function 
will be described with reference to fig. 1 and 2 next below. 

[0008] Prior art embedded automotive systems comprise a 
communication ECU 10 connecting the vehicle to external systems 
(WAN) via an interface to a wireless network, like GSM. Further, 
a plurality of real-time ECUS 12, 14, 16 is provided, each ECU 
being dedicated to perform a specific functionality in the 
vehicle. Examples are open/closing the doors, the windows, 
controlling the light, etc. They have specific I/O subsystems 
connecting to a variety of real-time buses 13, like CANl, CAN2 , 
CAN3, VAN, J1850, and the like. Further, a multimedia (MM) ECU 
18 is provided, offering the human/machine-interface (HMI) and 
thus audio, video (multimedia, abbreviated herein as MM) 
capabilities to people using the vehicle. The multimedia ECU 
head unit 18 is thus provided with a specific multimedia 
supporting I/O bus 19, e.g. a MOST bus. The functional elements 
of the communication ECU 10, real-time ECU 12 and multimedia 
head unit 18, being in a respective broken line frame are often 



a) . 4 DE920020049US1 

combined in prior art to a single functional unit, further 
called in here "automotive telematics ECU" . The before-mentioned 
single ECUs are connected via an inter-ECU-bus having reference 
sign 11. 

[0009] With further reference to fig. 2 the before-mentioned 
automotive telematics ECU is described in more detail. 

[0010] The real-time ECU 12 comprises a real-time processor 
(CPU (1)) 20, connected to a respective storage subsystem 24 and 
to a specific I/O subsystem 26 connecting to various sensor 
devices, and to the before-mentioned real-time bus, e.g. CAN, 
13. An instruction sequence is processed in a processing branch 
1, ie a processing element or processing subsystem having 
reference sign 22. 

[0011] The before-mentioned multimedia ECU 18 comprises a 
respective, high performing main processor (CPU (2)) 28, 
connected to a respective storage subsystem 32 and to respective 
I/O subsystems 34 for providing multicolour display, voice 
driven system input, etc. The multimedia ECU is connected to the 
multimedia bus 19. Both ECU functions 12 and 18 are provided 
within a single housing, which plays, however, a minor role in 
the context of the present invention. 

[0012] It should be noted that the real-time processor 20, 
herein referred to also as CPU (1), has less performance but 
should be able to quickly handle any necessary interrupts, and 
the storage subsystem 24 of the real-time ECU is considerably 
smaller than that of the multimedia ECU 18, for example 512 KB 
in relation to 64 MB. The two internal processing branches 
cooperate in a loosely coupled multiprocessing way. The typical 
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functional services of processing branch 1, reference sign 22, 
are real-time related. Functions like unlock the vehicle-doors, 
start the engine, control the lights, etc. are processed. 
Typically, this processing branch requires a performance 
equivalent of 20 MIPS and a storage footprint of 500 KB. The 
processing branch 2, reference sign 30 is run by a respective 
high-performing multimedia processor 28 - also referred to 
herein as main CPU (2) - representing the main processing system 
of the multimedia ECU 18, and is provided with the major 
processing performance and a respective large system storage, as 
mentioned above. Typical functions of the main multimedia 
processor are, for example, driver authentication, driver speech 
recognition, HMI facility in the field of audio, video and 
haptic capabilities. 

[0013] A system fault handler 3 6 of the prior art system 
monitors the functionality of the components described above and 
detects error status situations of single functional units. If 
an error status is detected, the fault handler 3 6 switches to a 
redundantly provided "shadow system", depicted with reference 
sign 39, which continues operation after a respective reboot 
procedure . 

[0014] In case of a CPU failure, the entire processing- 

branch related functionality will be lost, and in case of a 
storage subsystem failure, the entire processing-branch- 
related functionality will be lost. 

[0015] Typical solutions to provide fault tolerance and 

increased reliability are typically realized applying massive 
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redundant systems and subsystems. The drawbacks of this 
redundancy are: 

- high system costs, 

- increased physical dimensions in size and mass, 

- increased power dissipation, 

- increased electronic volume - and therefore increased 
potential for subsequent failures. 

[0016] It is thus an objective of the present invention to 

provide an improved embedded system and a method to operate it, 
which requires less redundant components. 

SUMMARY OF THE INVENTION 

[0017] In order to avoid high costs for providing increased 

system reliability and robustness against any type of runtime 
problems by redundant resources, it is basically proposed 
according to the present invention to: 

a) operate a preselected one of said ECUs as a "donor" ECU being 
provided with predefined storage subsystem resources, and 

b) in case of a breakdown of a storage subsystem and/ or 
processing subsystem of an "non-donor" ECU donating respective 
predefined resources to said breakdown ECU. 

[0018] Preferably, this means to select one of said ECUs as 

a "donor" -ECU, ie an ECU being anyway provided with larger 
amount of storage area and processing resources, for supporting 
other non-donor ECUs in case they have a breakdown in their 
resources. A Dynamic Storage Subsystem Morphing (DSSM) 
mechanism is implemented connected to said plurality of 
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resources, which reserves some storage area for each non-donor 
ECU, ready for an inventionally provided "slot-down/slot-up" 
access by a respective non-donor ECU having a storage subsystem 
breakdown. Said slot-down process enables the use of an actually 
high physical address range by the non-donor processor which is 
basically provided with addressing capabilities sufficient only 
for addressing lower address ranges. 

[0019] Advantageously, a split-cycle mode is run, in which 
the operation cycle of the commonly used memory subsystem is 
used in an alternating way either by said donor-processor, or by 
a non-donor processor. In absence of an integrated ASIC 
architecture a fast FET-switch-based multiplexing mechanism is 
provided for fast switching between both processors, such that 
the timing requirements of the processors are achieved. 

[0020] In case of a non-donor ECU processor breakdown a 
shared-processor operation mode is proposed, in which the donor- 
processor takes over the role of the breakdown processor which 
guarantees for continued operative functions accompanied by some 
tolerable, minor degradation of functionality of the embedded 
system. In the automotive field of use the donor-ECU comprises 
the Human-Machine-Interf ace/Multi-Media (HMI/MM) processor, and 
one donor-ECU comprises the real-time processor. The definition 
of a breakdown is proposed to be basically radical, targeting to 
replace a processor or a whole storage subsystem, and excluding 
minor error correction scenarios. Advantageously, in an 
implementation other than an integrated ASIC, the multiplexing 
necessary for accessing the * slot-out" storage area is done by a 
FET-switch known per se from high bandwidth channel switching in 
networks . 
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[0021] In regard of the fact that a prior art ECU is 
typically built by a single device packed in a single housing it 
should be noted that the present invention provides improvements 
for multiply cooperating processing systems regardless of being 
realized in a single housing, ie a "single ECU design", or being 
realized in a multi-ECU approach by means of being implemented 
in multiple housings. 

[0022] Thus, the above mentioned objective of the invention 
is achieved by the features stated in enclosed independent 
claims. Further advantageous arrangements and embodiments of the 
invention are set forth in the respective subclaims . Reference 
should now be made to the appended claims . 

[0023] According to its broadest aspect the present invention 
discloses a method for operating an embedded system covering a 
plurality of technical applications, the operative functions of 
which are performed with a respective plurality of application- 
specific Electronic Control Units (ECU) , whereby each ECU has 
separate need of resources regarding at least processing and 
storage subsystem, whereby the method is characterized by the 
steps of: 

a) operating a preselected one of said ECUs as a "donor" ECU 
with a storage subsystem being increased for some predetermined 
degree, e.g. 110% of normally existent storage, i.e., 10% 
increase or more, 

b) reserving for at least one of said ECUs a predetermined 
storage area in the storage subsystem primarily associated with 
a preselected donor ECU of said plurality of ECUs, having a 
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remarkable higher storage subsystem need and resources than the 
rest of ECUs, 

c) providing to each non-donor ECU an access to said reserved 
storage area, 

d) monitoring the operation of said ECUs, 

in case of breakdown of a non-donor ECU storage subsystem: 

e) transforming addresses associated with said reserved storage 
area to new addresses adapted for being accessible by said 
breakdown ECU, where the transforming step is done in context 
with a memory access by a non-donor ECU, e.g. a real-time ECU 
being provided with access facilities to only a smaller address 
room compared to a multimedia ECU, 

f) assigning access to said non-donor ECU to a respective one of 
said reserved storage areas by using said transformed addresses. 

[0024] The above transforming step e) is referred to also as 
slot-down memory access, as the reserved memory is mirrored down 
by preferably taking the complement of the reserved area storage 
address, in order to reserve the most important sections of the 
reserved area for the boot sector and operating system at 
maximum high addresses while concurrently processing them 
bottom-most according to the usual top/down memory structure. 

[0025] The above step f) multiplexes between a single storage 
and two (or more) different processors further referred to 
herein as non-donor CPU(l) and donor CPU (2) . The multiplexing is 
done in a preferred way by fast prior art FET switches detailed 
further below: 
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[0026] Further, in case of breakdown of a non-donor ECU 
processor it is proposed to perform the step of operating said 
donor-ECU in a shared-processor mode, in which a predetermined 
controllable extent of donor-ECU processor resources is used to 
run applications, which have run at the breakdown ECU before its 
breakdown. In this situation a single donor-CPU (2) is used for 
accessing its own donor memory subsystem and the one or more 
non-donor memory subsystems. Thus, also in this case, a 
respective multiplexing is performed as mentioned above, but the 
address transforming step is not necessary, as said donor- CPU 
runs with the respective original addresses of either respective 
memory subsystem. 

[0027] Thus, it is proposed to operate a plurality of said 
ECUs in a combined way in which the workload of non-donor ECUs 
is shifted to said donor ECU. The advantage results that in case 
of above breakdown situations of non-donor ECU, this ECU'S job 
will be continued by the donor ECU. If the donor ECU is provides 
a sufficient performance and its original tasks are less 
important than that one of the non-donor ECU, the inventional 
approach takes profit from this particular situation and 
provides for continued operation in error conditions accompanied 
by a tolerable, minor, i.e. "graceful" degradation of 
functionality, for example a slower refresh rate in a video 
display, or the like. 

[0028] When the donor-ECU is a Human-Machine Interface 
Multimedia unit (HMI/MM) , and a non-donor ECU is a real-time ECU 
having a considerable lower storage need than the donor ECU, the 
present invention exactly covers the current and maybe future 
situations of the automotive embedded systems and helps to 
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improve such systems in the above-mentioned sense while avoiding 
higher costs due to saved redundant devices. 

[0029] Further, when a breakdown is defined already by minor 
errors, limited to a non-successful operation of a subtotal of 
applications running in an ECU, then the advantage results that 
error handling is easier even in complex systems, as the 
permanently existing cross-relationships between the error 
statuses of two or more applications running in the same 
embedded system on the same ECU need not explicitly be handled. 
Instead, the whole subsystem, e.g. memory or processor, or both, 
is /are excluded from operation. This helps to obtain increased 
robustness of ECU operation. When the breakdown ECU 
functionality is further monitored and the breakdown status has 
disappeared, the normal way of operation may be retrieved. 

[0030] Advantageously, the procedure of reserving said 
storage area is performed by hardware means, or in combination 
with processor-specific memory management means, operation 
system specific means, or middleware-specific means, as it is 
absolutely required that the reserved area is not used by any 
other application. 

[0031] When the autonomic system controller 60 determines 
that a component is not more in error status, and works fine 
again, then the inventive system switches back to the normal 
operation mode after having performed a check of the former 
breakdown unit. 

[0032] When the non-donor ECU performs permanently write and 
read access to both, its own storage subsystem and the reserved 
area in the donor-ECU subsystem, a permanent split-cycle 



12 



DE920020049US1 



operation mode can be run, which enables for nearly 
interruption- free operation in case the non-donor storage 
subsystem falls in the breakdown status. In this case, an error 
can also be defined when a compare on a read access from both 
memories yields different data. Further, instead of defining a 
radical breakdown it may be advantageous to first perform 
checksum analysis, prior art error analysis and acting according 
to their results. 

[0033] The embedded system according to the invention may 
include multiplexer means for assigning access to said non-donor 
ECU to a respective one of said reserved storage areas, wherein 
the multiplexer means is implemented as a FET switch array. By 
that, multiplexing between two different processor devices does 
not add significant processing delay time to the system 
processing performance. 

[0034] The embedded system may comprise an autonomic system 
control logic, which contains the major portion of error 
handling intelligence, and controls the before-mentioned DSSM 
chip according to its logic. Said autonomic system control logic 
is advantageously implemented in a programmable ASIC. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0035] The present invention is illustrated by way of example 
and is not limited by the shape of the figures of the 
schematical drawings in which the schematic representation of: 

Fig. 1 illustrates the different, basic types of ECUs present 
in a prior art "networked" vehicle; 
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Fig. 2 illustrates the basic components and functionality of 
a prior art fault tolerant "automotive telematics ECU" by 
providing a respective redundant shadow system; 

Fig. 3 illustrates the basic inventive approach in a system 
according to fig. 2 and avoiding a redundantly provided shadow 
system; 

Fig. 4 illustrates a DSSM CPU/storage address layout example; 

Fig. 5 illustrates an inventive procedure of DSSM storage 
subsystem "morphing" ; 

Fig. 6 illustrates the basic structure and functionality of 
autonomic system control and DSSM signal morphing (slot down / 
slot up) according to a preferred embodiment of the invention; 

Fig. 7 illustrates some more details of the DSSM signal 
morphing of fig. 6; 

Fig. 8 illustrates in a time line increasing from left to 
right a DSSM w split-cycle-mode" for accessing the storage 
according to a preferred embodiment of the present invention; 

Fig. 9 illustrates a minimum delay address multiplexer 
implementation, when a FET-switch is used; and 

Fig. 10 illustrates the N-channel, MOS- transistor , CMOS-gate 
characteristics applied in a FET-switch used in fig. 9. 
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DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

[0036] With general reference to the figures and with special 
reference now to fig. 3 a preferred implementation of the 
before-mentioned automotive telematics unit is described in more 
detail as a specific embodiment of the present invention, in 
which the donor-ECU is the multimedia ECU 18, and only one 
single non-donor-ECU is applied, i.e. a real-time ECU 12. It 
should be noted, however, that this embodiment can be easily- 
extended to comprise more than one real-time ECU and may 
modified broadly without departing from the very scope of the 
invention, eg by providing also some donor functionality or 
attributes within the real- time ECU 12. The limitation is thus 
simply caused for sake of increased clarity of the core ideas of 
the present invention. 

[0037] As reveals from fig. 3, according to this specific, 
inventive embodiment a circuit 40 is provided which replaces, the 
system fault handler 36 provided in prior art, i.e. which 
incorporates the basic logic of it and, additionally includes 
most of the inventive features. Details of the circuit 40 are 
described in more detail with reference to fig. 6 later below. 

[0038] With first reference to fig. 4 an inventional DSSM 
CPU/storage address layout example is described which serves to 
illustrate the way, in which addresses from the donor-ECU 
originating from a higher address range are transformed to a 
addresses of lower range, in order to be able to be accessed by 
the non-donor-ECU, i.e. the real-time ECU 12, which processes a 
smaller address range due to its reduced storage area compared 
to the donor-storage area from multimedia ECU 18. 
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[0039] In fig. 4, the two most left columns indicate, that an 
address room of multimedia ECU 18 may be constructed by an 
address room of 24 bit, which corresponds to 16,7 million 
storage locations, which may be accessed via a 24 bit wide 
address bus. Of course, the storage of said multimedia ECU 18 
further comprises respective control lines required to perform a 
read or write access to the storage. The second column 
corresponds to a respective power of 2, depicted in the most 
left column. The third column shows that address lines 21 and 22 
are forced according to a preferred feature of the present 
invention to u 0", in order to reserve storage area for the 
processing branch of the real-time ECU 12, in case its storage 
resources fall in a breakdown status. Thus, a storage "slot" is 
excluded from original usage by the multimedia ECU 18. The 
excluded area may be dimensioned as the normally used memory 
subsystem of said non-donor ECU 12, e.g. 512 kByte in relation 
to 4 Mbyte address room of the donor ECU 18. It should be 
stressed that the inventive approach is explicitly covering 
future storage dimensions of e.g. 4 Mbyte for real-time ECUs and 
512 Mbyte for Multimedia ECU 18. 

[0040] With further reference to fig. 5 the multimedia ECU 18 
storage is depicted in the left portion of the figure and the 
"virtual" storage area used by the real-time ECU 12 storage 
subsystem is depicted in the right-hand portion of fig. 5. The 
term " virtual" is used in order to express that in case of a 
breakdown of the original real-time ECU storage subsystem 24, 
the physical storage area of the multimedia ECU storage system 
depicted at the left side of fig. 5 is used, but in a way of 
operation, which is basically transparent to the real-time 
processor 20. 
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[0041] In more detail, in the bottom most section of the 
multimedia storage subsystem area, depicted at the left side, 
the boot code is stored, in the next section the operating 
system is stored, in the next section above the address room 
being available for all multimedia applications is stored, 
followed by some smaller area dedicated for the runtime 
variables of the underlying multimedia applications, which is 
followed by a free, so-called "headroom" which is used for 
temporary usage of the multimedia ECU 18. This basic bottom-up 
structure is coincident with prior art storage use. 

[0042] According to a basic feature of the present invention, 
however, a reserved storage area is provided for operation of 
the applications run by the real-time CPU 12, which is depicted 
with reference sign 50, which is depicted as a shaded area in 
the top most portion of the multimedia storage subsystem 32 this 
reserved storage area 50 is delimited by the hex-addresses 
XA00000 and by xFFFFF. The reserved area corresponds to the area 
being indicated by the lines 21 and 22 in fig. 4. Thus, in this 
example a reserved area of 6,291,456 addresses are reserved for 
the operation of the real-time ECU. 

[0043] According to a basic feature of the present invention 
this reserved area remains unused during normal operation of 
both ECUs. In case of storage subsystem breakdown of the real- 
time ECU 12, however, this ECU will be rebooted with the address 
room reserved for it in the storage of the multimedia ECU 18. 
According to a preferred aspect of the present invention this 
occurs in the so-called DSSM - Dynamic Storage Subsystem 
Morphing - mode, which performs a morphing or w slot-down/up" 
process: in this process the bits A21 and A23 are forced to the 
logical "1" value, which tears down any obstacles for writing 
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into or reading from the reserved area. Further, the DSSM 
circuit will multiplex the original bits A22 to the place of A21 
thus shifting the significant value to 2power21 what in a 
practical explanation will adjust the address max. to Hex 
600000. 

[0044] In the simplest implementation, the processing branch 
1 (PB1) code including the associated applications will start 
from the 'lower address' leading to the higher addresses, as the 
PB2 physical layout shows in fig. 5 -see its left portion marked 
by "PHYSICAL". However, depending on the processor in use it 
may also be useful to boot from maximum address in top-down 
direction - beginning at address xFFFFFF as shown in the fig. 5 
PHYSICAL example. 

[0045] In this preferred storage address „morphing" process 
the addresses are transformed in their complements in order to 
invert the sequence, in which the information is stored, because 
it is intended to store the most important information in the 
very top portion of the multimedia ECU storage subsystem, i.e. 
the storage reserved for the operating system for the real-time 
processor 20, and in order to guaranty, that the usual storage 
operation may be continued in the breakdown situation for the 
real-time ECU. Thus, by the before-mentioned steps of forcing 
bits A21 and A23 to logical "1" and by shifting the significant 
bits and by complementing them, the inventionally provided DSSM 
mechanism may be controlled to redirect any memory access from 
the breakdown subsystem storage to the well-working storage of 
the multimedia ECU 18. Thus, after a reboot of the real-time 
processor 20 the real-time applications may continue using the 
storage area "donated" by the donor ECU 18. It should be noted 
that the storage area of the donor ECU 18 should be dimensioned 
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large enough in order to be able to provide this donating 
(donor) function. 

[0046] With further reference to fig. 6 the basic structure 
and function of block 40 depicted in fig. 3 will be described in 
more detail next below. An autonomic system controller 60 
comprises any logic required for handling system faults, as this 
is done in prior art, see back to fig. 2 system fault handler 
36. It is connected to a set 62 of registers storing static data 
used by the firmware which implements the control logic. 
Controller 60 is further connected to a set 66 of registers, 
which store a plurality of relevant state parameters in 
respective register tables, said parameter describing the actual 
and the desired system state, i.e., error states, etc. Said 
autonomic system controller 60 is further connected to a 
register set 68, which stores static data required to operate 
the inventive DSSM mechanism. Thus, all parameters describing 
the DSSM circuit 64 (described further below) , the multiplexing 
of storage accesses and the inventionally provided address 
morphing mechanisms are stored therein. 

[0047] The autonomic system controller 60 is further 
connected to a DSSM signal control circuit 64, which realises 
the doing of the control logic provided in above-mentioned 
autonomic system controller 60. In particular, the tasks of 
source multiplexing and the before-mentioned shifting of bits 
are performed herein. 

[0048] Further, according to a particular, advantageous 
feature of the present invention said autonomic system 
controller 60 is also connected to a split-cycle timing 
generator 70. Said generator 70 is connected to a set 72 of 
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registers storing static data required for operating with the 
DSSM signal control circuit 64 during its tasks of multiplexing 
and storage address morphing. 

[0049] Further, said split-cycle timing generator 7 0 is 
connected to the before-mentioned DSSM signal control circuit 64 
in order to control a shared access to the donor ECU memory 
subsystem by both processors 20 and 28, when said real-time 
storage subsystem has a breakdown. Details of the split-cycle 
mode and the respective timing are described later with 
reference to fig. 8. 

[0050] With further reference to fig. 7 further details are 
given specifying the operation of the DSSM signal control 
circuit 64 in fig. 6. A multiplex and address significance shift 
circuit 72 is provided, which is connected to a set 74 of DSSM 
signal attribute control registers, which store any signal 
attributes required to multiplex incoming addresses A2 0-A23 to 
the bit-shifted addresses A20-A23 at the right hand margin of 
the figure. Control lines 7 6 are provided to control forced 
ON/OFF of the signal lines depicted in a multiplexer circuit, of 
which a preferred implementation, a FET multiplexer so-called 
force on/off "morphing" array, is described with greater detail 
with reference to fig. 9 later below. 

[0051] The left-side input lines denoted by SS1-A20, .. SS2- 
A23 are address lines controlled by a respective CPU(l) or (2) 
representing addresses A20 to A23 of either of said CPUs, CPU(l) 
or CPU (2) . 
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[0052] The output lines at the right bottom of the figure are 
addresses lines connecting to Addresses A20 to A23 of the 
storage subsystem 2 (SS2). 

[0053] According to the invention the addresses A20 to A23 
can be fed via the control lines 7 6 from either of both CPUs to 
the storage subsystem 2. This is controlled by defining the 
address either a morphed (slot down) or unmorphed (slot up) 
form. For example, address line AO of storage subsystem 2 can be 
connected to A20, A21, A22 or A23 of either CPU(l) or CPU(2) by 
either forcing the line to u 0" or 1", respectively. This way any 
slot up or slot down process can be controlled according to the 
invention. 

[0054] With further reference to fig. 8 details on the 
inventional DSSM split-cycle mode storage access are given next 
below. Both processing branches -PBl of real-time processor 20, 
-CPU(l) and PB2 of Multimedia processor 28, CPU(2), access the 
same memory subsystem 32, i.e. that of the donor ECU. 

[0055] The first line showing crossing signal lines is given 
just to indicate that the timing scheme is valid independent of 
the actually present bit status of either, address lines or 
control lines. 

[0056] Between time tl and t2 a data access time is shown 
belonging to a preceding data access, not relevant by which 
processor - assume done by the real-time processor 20 for branch 
PBl- addressing the protected high address range 50, refer back 
to fig. 5, with " virtual addresses" generated by the morphing 
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process and slotting down into a " logical" lower address range 
accessible by the real-time processor. 

[0057] During that time the data arrives at the respective 
read output ports of memory 32. Between t2 and t3 all of said 
data is definitely valid and may be captured into a respective 
register. This reflects usual prior art memory access 
technology. 

[0058] According to a preferred aspect of the present 
invention, during t3 and t4 a predetermined time zone 80 is 
provided, in which the above described address transforming 
process and multiplex / switching process may take place, in 
order to switch the read access circuitry to enable access by 
the multimedia processor 28, ie for running a read access for 
processing branch 22, PBl . Thus, in time zone 80 new addresses 
are generated and the circuit is switched for preparing the read 
access for PB2 . 

[0059] Then the same read cycle is run for the processing 
branch PB2 of the multimedia processor 28. Thus, between t4 and 
t5 the new PB2 data arrives at the read output ports, from which 
it may be captured into specific PB2 read registers after it is 
valid between time t5 and t6. 

[0060] Then a new read access for the real-time processor is 
assumed to be desired. In order to do that the address morphing 
done during time zone 80 must be inversed again. This is done in 
time zone 82 by inverting the morphing procedure as described 
above. Thus, a slot-down procedure is done, and the multiplexer 
is switched back in favour to PBl, in order to prepare the 
memory addressing circuitry for a read access ready for the 
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real-time CPU(l), which may then start after t7 . Then the same 
read cycle is repeated as it was described before. 

[0061] The write access can be handled according to the same 
scheme . 

[0062] With further reference to fig. 9 an advantageous 
multiplexer implementation - nearly zero-time-delay address 
multiplexer - is illustrated by way of example and restricted to 
a small number of address lines for sake of clarity. Thus, only 
a small section of the whole multiplexer unit, which is 
advantageously implemented as a Field-Effect-Transistor (FET) 
switch in array form, is depicted in fig. 9. 

[0063] Fig. 9 illustrates an example allowing the CPU(l) to 
access either SSI or SS2 . 

[0064] An input switch 102 has a control select input signal 
denoted as SSI, or SS2, respectively. SSI is assumed to 1 
correspond to value „high u and SS2 is assumed to represent 
„low w . The switch has two output lines 106, 108 respectively, of 
which 106 is inverted. A number of 8 transistors are provided, 
which switch through either the signal incoming at SS1-A0 input 
line, or SS2-A0 input line for an address line AO dedicated to 
real-time processor 20. 

[0065] The control is done via the select line 104. In case a 
low value is present at line 104, output line 108 is also low 
and output line 106 is high. Thus, when an N-channel MOS- 
transistor in CMOS-type is implemented, having the gate 
characteristics as it is depicted in fig. 10, the address line 
SS2-A0 would be switched through to the output for real-time 
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processor 20, depicted in the drawing as CPU(l) . Otherwise, the 
input line SSI-AO would be switched through. The same is done 
for all address lines and the rest of control lines for 
addressing the total of address and control lines required for 
operating the real-time processor in case of storage subsystem 
breakdown . 

[0066] With additional reference to fig. 10 the before- 
mentioned CMOS-gate characteristics are illustrated, which are 
applied in the before-mentioned nearly zero-time-delay address 
multiplexer example given in fig. 9. As the ON-resistance 
corresponding to an input voltage at the gate of 0 Volt produces 
the conducting state having very low resistance of less than 1 
Ohm, and given an input capacity of an address line into the 
memory subsystem of about 5 to 10 Picofarad, a very low R/C 
switching time delay results in the range of a couple of 
Picoseconds or even Femtoseconds. Thus, applying those FET 
switches is advantageous for maintaining the split cycle mode 
depicted in fig. 8. 

[0067] In the specific telematics example given above the 
described operation method is extremely adapted to the situation 
in high end automotive embedded systems. In this case the real- 
time processor 2 0 does not need a large memory, but instead it 
should be able to handle interrupts quite fast in order to 
process the sensed real-time data. The multimedia processor 18, 
however, is very well adapted to take over the role of a donor- 
ECU as it is per se provided with a large memory and with a high 
performing processor. In situations, in which the 
characteristics are not thus significantly different, the 
inventive method can be adapted by reserving a relatively large 
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storage area to a reduced number of non-donor as well as to 
donor ECUS . 

[0068] The present invention can be realized in hardware, or 
a combination of hardware and software, for example in a 
programmable ASIC form or with selected units being implemented 
in any type of hardware implementation as required by the 
applicational use of the embedded system. 

[0069] A variety of modifications and adaptations are 
feasible to reflect and adapt to respective applicational uses: 
It should be noted for example that the number of non-donor ECUS 
can also be greater than one, which is thus different to the 
before-described preferred embodiment. In this case, a 
respective larger plurality of reserved storage areas is 
provided in the donor ECU storage subsystem. Further, it will be 
appreciated by a person skilled in the art that the split-cycle 
operation mode, which was discussed earlier, is then modified 
accordingly. For example, given a case, in which a number of 
four non-donor ECUs are present, a solution is to apply the 
same split- cycle scheme in a first cycle for the first non- 
donor ECU, in a later cycle for a second non-donor ECU, in a 
third later cycle for a third non-donor ECU, etc. Alternatively, 
the storage area morphed according to the present invention for 
being accessed by the non-donor ECUs can also be applied 
according to access rules, which implement a certain priority 
sequence. In this way it is possible to handle the most 
important functions with a higher priority compared to less 
important functions. This might be of increased importance in 
case of X-by wire scenarios, in which any functionality, like 
steering or actuating the break of a vehicle is performed 
without any mechanical transformation chain, but solely computer 
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calculated and actuated by a motor driven by respective 
computer-generated control signals. 

[0070] Further, the error status definition may vary 
according to the actual application for which the embedded 
system is used. In cases, in which error handling is less 
complex, it may be advantageous to render the error management 
less radical . 



